Collaboration

Traditional DMZ based solutions are relatively complex by nature. To ensure proper scaling close management of the infrastructure is needed. A layered security approach ensures clear separation from internal and external resources. Specific requirements within such a DMZ design e.g. hardened operating systems and the special connectivity requirements are adding additional pain to the business users. Even if the solution is very secure, it comes with a high price tag and time to market is very low.

As mentioned in the last Blog entry a design build around a Web Application Firewall WAF can address some of this pain. I don’t want to dig deeper into the technical possibilities of such devices but some highlights are:

• Ability to inspect content (not only IP address and ports)
• Moderate “Errors” in WEB applications can be hidden from the outside (preventive control)
• WEB applications can be protected against standard attacks (Cross Site Scripting, SQL Injection etc…)
• Information gathering can be prevented by e.g. blocking application specific error messages or too literate webserver information

As this is not a technology security Blog I don’t want to show any possible layout but instead show you some data of an existing business case. A customer requested a solution design for an application able to share “Business use only” information (lowest classification) with a known group of several hundred external collaborators and 200 internal resources.

The DMZ design based approach added up to an investment need of 160’000 USD and all together a period of 23 weeks until go live. The same solution designed with a WAF gateway resulted in a cost saving of 60% and instead of 23 weeks “Time to Market” was reduced to 7 weeks. The risk assessment for the WAF solution testified acceptable risk level given the criticality of the information and the system.

During the implementation of the WAF design one critical learning came up again for the customer. Focusing on application based security requires additional skills which are very often not available. The ability to understand, interpret and instantiate a business request is crucial. Knowledge is needed in:

• Web application design and security
• Network design and network protocols
• IT security
• Service Delivery / Service Support (key – it is not a “box” any more)

I have seen 3rd party contractors which have started to specialize in this field able to help IT groups to get the job done. In this case the operation of the WAF gateway was outsourced to an external service provider. The ongoing operational costs for the WAF solution are substantialy reduced as a result of the reduced complexity and the smaller amount of instances which need to be taken care of.

The WAF approach represents a mindset shift for the IT organization away from point solutions towards a Standardized, Simple and still Secure solution supporting fast business adaptation. It represents an innovative security solution to support value creation.

In the next article we are going to describe the basic workings of a WAF, associated risks, the ideal prerequisites and accompanying measures.